Information Exfiltration with Wi Wi-Fi Micro-Jamming ROM OGEN - - PowerPoint PPT Presentation

information exfiltration with
SMART_READER_LITE
LIVE PREVIEW

Information Exfiltration with Wi Wi-Fi Micro-Jamming ROM OGEN - - PowerPoint PPT Presentation

Apr 16, 2023 16 likes •302 views

Sensorless, , Permissionless Information Exfiltration with Wi Wi-Fi Micro-Jamming ROM OGEN (ROMOG@POST.BGU.AC.IL) OMER SHWARTZ (OMERSHV@POST.BGU.AC.IL) KFIR ZVI (ZVIKF@POST.BGU.AC.IL) YOSSI OREN (YOS@BGU.AC.IL) BEN-GURION UNIVERSITY OF THE

slide-1
SLIDE 1

Sensorless, , Permissionless Information Exfiltration with Wi Wi-Fi Micro-Jamming

ROM OGEN (ROMOG@POST.BGU.AC.IL) OMER SHWARTZ (OMERSHV@POST.BGU.AC.IL) KFIR ZVI (ZVIKF@POST.BGU.AC.IL) YOSSI OREN (YOS@BGU.AC.IL) BEN-GURION UNIVERSITY OF THE NEGEV, ISRAEL

slide-2
SLIDE 2

Background

“A covert listening device, more commonly known as a bug or a wire, is usually a combination of a miniature radio transmitter with a microphone. The use of bugs, called bugging, is a common technique in surveillance, espionage and police investigations. “ - Wikipedia

slide-3
SLIDE 3

Previous Works

Farshteindiker et al. [1] used a device’s gyroscope to exfiltrate data through a victim device. A piezoelectric device causes interferences to the gyroscope sensor that are readable through a javascript running on the device.

[1] Farshteindiker, Benyamin, Nir Hasidim, Asaf Grosz, and Yossi Oren. "How to Phone Home with Someone Else's Phone: Information Exfiltration Using Intentional Sound Noise on Gyroscopic Sensors." In WOOT. 2016.

slide-4
SLIDE 4

Objectives

Develop and evaluate an exfiltration technique that maintains the advantages:

  • 1. Covert
  • 2. Permissionless
  • 3. Long range

While reducing the limitations:

  • 1. Need of physical contact with the victim
  • 2. Power requirements
slide-5
SLIDE 5

Our Contribution

slide-6
SLIDE 6

"Covert channels through external interference."

Shah and Blaze [2] introduced the concept of an “interference channel”, which they defined as a “covert channel that works by creating external interference

  • n a shared communications medium”

[2] Shah, Gaurav, and Matt Blaze. "Covert channels through external interference." Proceedings of the 3rd USENIX conference on Offensive technologies (WOOT09). 2009.

slide-7
SLIDE 7

Interference Channel

The sender cannot communicate directly with the receiver. The victim is an uninvolved, unknowing device performing normal communications. The receiver is capable of receiving some output from the victim and has the ability to separate the benign data from the payload. The malicious communication is hiding in plain sight.

slide-8
SLIDE 8

Micro-Jamming

Many communication protocols, including 802.11, incorporate CCA (Clear Channel Assessment) mechanisms to maintain non-distruptiveness. By briefly jamming the radio channel, Wi-Fi frames and responses can be delayed for several milliseconds.

slide-9
SLIDE 9

Micro-Jamming

slide-10
SLIDE 10

Micro-Jamming

slide-11
SLIDE 11

Micro-Jamming

slide-12
SLIDE 12

Micro-Jamming

slide-13
SLIDE 13

Traditional Jamming vs Micro-Jamming

Traditional Jamming Micro-Jamming Mode of operation Packet loss Packet delay Network layers affected At least 1-2 Only layer 1 Required transmission power Stronger than blocked signal Minimum required for sensing

slide-14
SLIDE 14

Test Setup - Active

slide-15
SLIDE 15

Test Setup - Active

slide-16
SLIDE 16

Test Setup - Active

ATMEGA256RFR2 Xplained Pro evaluation board Keysight 33622A waveform generator Tektronix RSA604 real-time signal analyzer

slide-17
SLIDE 17

Results

slide-18
SLIDE 18

Results

slide-19
SLIDE 19

Results

Successful data transfer at rates of 40 bits-per-second with <10% error rate. Effective to a range of 15+ meters, works through walls. Found functional at low transmission powers of -17 dBm, or 20 microwatts.

slide-20
SLIDE 20

Micro-Jamming Done Passively

When an antenna switches its impendence in a given frequency, it modulates reflects any ambient radio signals while imposing a frequency shift. Previous works[3] have used this phenomenon to shift one Wi-Fi channel to another while modulating data on top of it. Using similar techniques, it is possible to jam a Wi-Fi channel using zero energy for transmission.

[3] Bryce Kellogg, Vamsi Talla, Shyamnath Gollakota, and Joshua R. Smith. Passive wi-fi: Bringing low power to wi-fi transmissions. 13th USENIX Symposium on Networked Systems Design and Implementation, NSDI 2016, Santa Clara, CA, USA.

slide-21
SLIDE 21

Test Setup - Passive

slide-22
SLIDE 22

Test Setup – Passive

slide-23
SLIDE 23

Test Setup – Passive

slide-24
SLIDE 24

Traditional Jamming vs Micro-Jamming (cont’)

Traditional Jamming Micro-Jamming Range vs transmission power Small, must overcome existing signals Large Can be done passively? Not effectively? Demonstrated in the paper Detectability Shows in standard network logs Hard to differentiate from noise

slide-25
SLIDE 25

Demo

slide-26
SLIDE 26

Demo

slide-27
SLIDE 27

Conclusions

Micro-jamming was shown as an effective development over traditional jamming as a covert channel. Using micro-jamming, an implant can transmit over longer distances and use less power than with traditional jamming. In addition, micro-jamming allows for lower-profile exfiltration of data that is harder to detect without actively looking with the right equipment.

slide-28
SLIDE 28

Thank You – Any Questions?

Rom Ogen (romog@post.bgu.ac.il) Omer Shwartz (omershv@post.bgu.ac.il) Kfir Zvi (zvikf@post.bgu.ac.il) Yossi Oren (yos@bgu.ac.il) https://iss.oy.ne.ro/Microjam

Come see our live demo at the USENIX poster session!